1.12k likes | 1.41k Views
MODULE 6. IS AUDIT PROCESS. IS AUDIT. Information systems auditing is a process of collecting and evaluating evidence to determine whether : a computer system safeguards assets, maintain data integrity, allows organizational goals to be achieved effectively,
E N D
MODULE 6 IS AUDIT PROCESS CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
IS AUDIT Information systems auditing is a process of collecting and evaluating evidence to determine whether : • a computer system safeguards assets, • maintain data integrity, • allows organizational goals to be achieved effectively, • and uses resources efficiently. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Information • Systems • Auditing O R G A N I S A T I O N Safeguarding of Assets Data Integrity System Effectiveness System Efficiency CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Asset Safeguarding • The asset should not be destroyed, stolen or used for unauthorized purposes. • Data is the most important asset of any organization. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Data Integrity • The completeness, soundness, purity, authenticity and genuineness of the data. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
System Efficiency • An efficient information system uses minimum resources to achieve its required objectives. • Resources like machine time, peripherals, system software and labour are scarce and different application systems usually compete for their use. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Unit-I IS AUDIT PROCESS CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
IS Audit • Availability: Will the organisation computer systems be available for the business at all times when required? • Confidentiality: Will the information in the systems be disclosed only to authorized users? • Integrity: Will the information provided by the system always be accurate, reliable and timely? CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
IS Audit- Some Concepts • IS Audit strategy • Audit Objective • Audit environment CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Fundamentals for establishing IS Audit Function • Audit Mission: The mission statement defines the primary purpose of the Audit function and provides an overview of the focus, priorities, values and principles that will measure the audit decisions. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
AUDIT CHARTER • Audit charter should clearly state management’s responsibility • Audit charter is usually a part of internal audit, hence may include other audit functions • Should state objectives of audit • Role of IS audit is established by audit charter CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
AUDIT CHARTER • An IS auditor require a clear mandate from the company to perform the IS audit. This mandate is called AUDIT CHARTER or ENGAGEMENT LETTER. • Audit charter should be approved by highest level of management and once established should not be altered except in exceptional circumstances. • Audit charter should clearly address three aspects of responsibility, authority and accountability of the IS auditor as under: CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
AUDIT CHARTER • Responsibility – This may include • Scope • Objectives • Specific auditee requirements • deliverables • Authority – This may include • Right of access to information, personnel, locations and systems relevant to the performance of audit CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
AUDIT CHARTER • Accountability - This may include • Designated recipients of the report • Auditee's right • Agreed completion dates • Agreed fees, if applicable CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Engagement Letter Purpose • Engagement letters are often used for individual assignments or for setting the scope and objectives of a relationship between the external IS auditor and an organisation. Content • The engagement letter should clearly address the three aspects – responsibility, authority and accountability CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
AUDIT PLANNING • To perform audit planning, IS auditor should perform the following steps : • Gain understanding of business’s mission, objectives, purposes and processes • Touring key organizational facilities • Studying applicable laws and regulations • Conduct internal control review • Reading background material including industry publications, annual reports etc. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
AUDIT PLANNING • Reviewing long term strategic plans • Interviewing key managers to understand business issues • Reviewing prior audit reports • Set audit scope and audit objectives • Develop audit strategy • Assign personnel resources to audit CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
RISK BASED AUDIT APPROACH • Is used to determine the extent of compliance and /or substantive testing an auditor should undertake to fulfill the objectives of audit. Factors to consider include: • Knowledge of business • Degree of operational/internal controls available • Risk assessment model may use a scoring system based on • Technical complexity • Level of controls in place • Level of financial loss CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
RISK BASED AUDIT APPROACH These factors may or may not be weighed to arrive at a measure of overall risks. Another way of risk assessment is judgmental based upon management directives, historical perspectives, business goals and environment factors. A typical overview of risk based audit approach is presented below CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
RISK BASED AUDIT APPROACH CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
RISK BASED AUDIT APPROACH CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
RISK BASED AUDIT APPROACH CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
AUDIT PROGRAM • Audit programs are based on objective and scope of the assignment and becomes guide for documenting • Various audit steps to be performed • Extent and type of evidential matters to be reviewed • Though not necessarily to be followed in a sequence, IS auditor will be best advised to take a sequential approach in understanding the entity, evaluating control structure and testing the controls. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
AUDIT RISKS AND MATERIALITY • Risk that financial statements may contain material errors or material errors may remain undetected. • Sometimes audit risk may also refer to the risk that an auditor is prepared to accept • Types of risks in an audit: • Inherent risk – based on nature of business and is independent of audit • Control risk - a risk that a material error may not be prevented or detected CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
AUDIT RISKS AND MATERIALITY • Detection risk – a risk that an IS auditor may use inadequate test procedure and conclude that material errors do not exist when in fact they do. • Overall risk – a combination of the risk factors as above. The objective is to keep overall risk within acceptable levels. • Materiality concept is applicable in case of financial audits. • In the context of IS audit, materiality may mean that a significant internal control weakness exist which leaves the organization susceptible to threat leading to financial loss, business interruptions, loss of customer trust etc., CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
AUDIT RISKS AND MATERIALITY • Materiality always require sound judgment from an auditor. For an IS auditor the task is still more difficult CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
A Control is a System that Prevents, Detects or Correctsunlawful events. • Information Systems Auditors ultimately are concerned with evaluating the reliability or operating effectiveness of controls. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
TESTING OF CONTROLS • After identifying the key control, the auditor has to determine whether to test these control through compliance or substantive testing • Compliance testing determines whether the controls are functioning as intended. • Substantive testing – refer to verifying the integrity of processing. It provides evidence as to the validity and proprietary of balances in financial statements and the transactions supporting such statements There is direct correlation between the level of internal control and the amount of substantive testing to be applied. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
EVIDENCE CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
EVIDENCE • Information used to determine whether audit criteria or objective is met • May include • Observations • Notes taken during interviews • Correspondence • Internal documentation • Result of test conducted by auditor • Reliability may depend on • Independence of the provider of evidence CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
EVIDENCE • Qualification/competence level of the person providing information • Objectivity of evidence • Techniques of gathering evidence may include • Review IS organization structure – key word here is adequate separation of duties • Reviewing IS documentation standard – key word here is that documentation may be in automated form rather than on paper. Documentation may include • System development initiating document • Functional design specifications CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
EVIDENCE • Program change histories • User manual • Database specifications • Test plans and reports • Quality assurance reports • Interviewing appropriate personnel – an interview form or checklist may be used. Also remember that interviews are not accusatory CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
EVIDENCE • Observing process and performance - key here is to document as much detail as is possible. Also remember that your observations do not obstruct the on going business • Finally, judgment call has to be made to determine which material is relevant for meeting audit objective and to what extent reliance should be placed there upon. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
EVIDENCE CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
EVIDENCE CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
AUDIT REPORT • End product of the audit • The Audit Report format should be considered at the time of planning stage itself. No fixed format but may include : • Introduction including audit objectives, scope, period etc., • Overall conclusion and opinion on the adequacy of controls in the areas covered as per scope of audit • Any reservations or qualifications • Detailed findings/recommendations depending upon materiality and intended recipient of the report CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
AUDIT REPORT • Management responses including plan if any for implementation of the recommendations.( This may be included if required by terms of reference) • It is a good practice to also give an executive summary preferably in a visual presentation mode CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
AUDIT REPORT CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Salient feature of the IS Audit Report • There cannot be a standard format. However the contents and format of the IS audit report should contain the minimum requirements as per the reporting standards. Some of the features of Audit report: • Report, Content and form. • Purpose and Content • Intended Receipients • Style and Content • Statement of Objectives. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Salient feature of the IS Audit Report • Scope of Audit • Restrictions on distribution • Significant findings • Conclusion • Recommendations • Reservations or qualifications • Presentations • Timeliness • Subsequent events • Follow Up CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
AUDIT DOCUMENTATION • IS audit documentation includes the audit plan, a description or diagram of network environment, audit programs, minutes of meetings, audit evidence, findings, conclusions and recommendations, any report issued as result of audit work and management responses. • Audit documentation should support the findings and conclusions/ opinions. • Also include questionnaires and understandable flow charts CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
ACTION TAKEN REPORT • Sometime, terms of reference may require an auditor to submit follow up action report. If so, IS auditor must set up a follow up program to determine if the agreed corrective actions have been taken • Follow up reporting may involve • Inquiry as to the current status • Certain audit steps to determine the extent and correctness of the implementation measures CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
SAMPLING • Sampling used when entire population cannot be examined for reasons of cost, time or sheer volume • Sample is a subset of population. • Sampling approaches are: • Statistical – sample size and selection process are based on objective criteria. Each item in population has equal opportunity of being selected. • Non-statistical – sample size and the the selection process are based on judgment. This type of sampling is also called judgmental sampling. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
SAMPLING Both are subject to risk that conclusions may be wrong (sampling risk) • Methods of sampling are: • Attribute sampling • Variable sampling • Attribute sampling • Is applied in compliance testing • Deals with presence or absence of characteristics (attribute) • Conclusions are expressed in terms of rates of occurrence CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
SAMPLING • Variable sampling • Is applied in substantive testing • Deals with rupee value, weight etc., (variable characteristics) • Conclusions are expressed in terms of range of value or deviation from an expected value CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
SAMPLING • Important sampling terms include • Confidence coefficient – a measure of confidence in the testing process and is expressed as a percentage. Remember • Stronger the internal control, lower can be the confidence coefficient • Greater the confidence coefficient, larger the sample size • Level of risk – is equalto 100 minus confidence coefficient CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
SAMPLING • Expected error rate – applicable in attribute sampling only. Remember • Higher the expected error rate, larger the sample size • Tolerable error rate – acceptable upper limit of error. Used to set the precision amount in respect of compliance testing CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
SAMPLING • Key steps in using sampling in audit include • Determine the objectives of the test. • Define the population to be sampled. • Determine the sampling method, such as attribute versus variable sampling. • Determine the precision and reliability desired • Calculate the sample size. • Select the sample. • Evaluate the sample from an audit perspective CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)
Unit II Information Risk Management CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)